package org.alfresco.repo.security.authentication.identityservice;

import java.time.Duration;
import java.time.temporal.ChronoUnit;
import java.util.Arrays;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Supplier;
import org.alfresco.repo.forms.processor.node.FormFieldConstants;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.FactoryBean;
import org.springframework.http.client.SimpleClientHttpRequestFactory;
import org.springframework.http.converter.FormHttpMessageConverter;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.client.AuthorizedClientServiceOAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.OAuth2AuthorizationContext;
import org.springframework.security.oauth2.client.OAuth2AuthorizeRequest;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProviderBuilder;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.endpoint.DefaultPasswordTokenResponseClient;
import org.springframework.security.oauth2.client.http.OAuth2ErrorResponseErrorHandler;
import org.springframework.security.oauth2.client.oidc.authentication.OidcIdTokenDecoderFactory;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.registration.ClientRegistrations;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtClaimValidator;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtIssuerValidator;
import org.springframework.security.oauth2.jwt.JwtTimestampValidator;
import org.springframework.web.client.RestTemplate;

/* loaded from: input_file:org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacadeFactoryBean.class */
public class IdentityServiceFacadeFactoryBean implements FactoryBean<IdentityServiceFacade> {
    private static final Log LOGGER = LogFactory.getLog(IdentityServiceFacadeFactoryBean.class);
    private boolean enabled;
    private SpringBasedIdentityServiceFacadeFactory factory;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacadeFactoryBean$LazyInstantiatingIdentityServiceFacade.class */
    public static class LazyInstantiatingIdentityServiceFacade implements IdentityServiceFacade {
        private final AtomicReference<IdentityServiceFacade> targetFacade = new AtomicReference<>();
        private final Supplier<IdentityServiceFacade> targetFacadeCreator;

        LazyInstantiatingIdentityServiceFacade(Supplier<IdentityServiceFacade> supplier) {
            this.targetFacadeCreator = (Supplier) Objects.requireNonNull(supplier);
        }

        @Override // org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade
        public void verifyCredentials(String str, String str2) {
            getTargetFacade().verifyCredentials(str, str2);
        }

        @Override // org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade
        public Optional<String> extractUsernameFromToken(String str) {
            return getTargetFacade().extractUsernameFromToken(str);
        }

        private IdentityServiceFacade getTargetFacade() {
            return (IdentityServiceFacade) Optional.ofNullable(this.targetFacade.get()).orElseGet(() -> {
                return this.targetFacade.updateAndGet(identityServiceFacade -> {
                    return (IdentityServiceFacade) Optional.ofNullable(identityServiceFacade).orElseGet(this::createTargetFacade);
                });
            });
        }

        private IdentityServiceFacade createTargetFacade() {
            try {
                return this.targetFacadeCreator.get();
            } catch (IdentityServiceFacade.IdentityServiceFacadeException e) {
                throw e;
            } catch (RuntimeException e2) {
                IdentityServiceFacadeFactoryBean.LOGGER.warn("Failed to instantiate IdentityServiceFacade.", e2);
                throw IdentityServiceFacadeFactoryBean.authorizationServerCantBeUsedException(e2);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacadeFactoryBean$SpringBasedIdentityServiceFacade.class */
    public static class SpringBasedIdentityServiceFacade implements IdentityServiceFacade {
        static final String CLIENT_REGISTRATION_ID = "ids";
        private final OAuth2AuthorizedClientManager oAuth2AuthorizedClientManager;
        private JwtDecoder jwtDecoder;

        SpringBasedIdentityServiceFacade(OAuth2AuthorizedClientManager oAuth2AuthorizedClientManager, JwtDecoder jwtDecoder) {
            this.oAuth2AuthorizedClientManager = (OAuth2AuthorizedClientManager) Objects.requireNonNull(oAuth2AuthorizedClientManager);
            this.jwtDecoder = (JwtDecoder) Objects.requireNonNull(jwtDecoder);
        }

        @Override // org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade
        public void verifyCredentials(String str, String str2) {
            try {
                OAuth2AuthorizedClient authorize = this.oAuth2AuthorizedClientManager.authorize(createPasswordCredentialsRequest(str, str2));
                if (authorize == null || authorize.getAccessToken() == null) {
                    throw new IdentityServiceFacade.CredentialsVerificationException("Resource Owner Password Credentials is not supported by the Authorization Server.");
                }
            } catch (OAuth2AuthorizationException e) {
                IdentityServiceFacadeFactoryBean.LOGGER.debug("Failed to authorize against Authorization Server. Reason: " + e.getError() + FormFieldConstants.DOT_CHARACTER);
                throw new IdentityServiceFacade.CredentialsVerificationException("Authorization against the Authorization Server failed with " + e.getError() + FormFieldConstants.DOT_CHARACTER, e);
            } catch (RuntimeException e2) {
                IdentityServiceFacadeFactoryBean.LOGGER.warn("Failed to authorize against Authorization Server. Reason: " + e2.getMessage());
                throw new IdentityServiceFacade.CredentialsVerificationException("Failed to authorize against Authorization Server.", e2);
            }
        }

        @Override // org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade
        public Optional<String> extractUsernameFromToken(String str) {
            try {
                Jwt decode = this.jwtDecoder.decode((String) Objects.requireNonNull(str));
                if (IdentityServiceFacadeFactoryBean.LOGGER.isDebugEnabled()) {
                    IdentityServiceFacadeFactoryBean.LOGGER.debug("Bearer token outcome: " + decode);
                }
                Optional map = Optional.ofNullable(decode).map((v0) -> {
                    return v0.getClaims();
                }).map(map2 -> {
                    return map2.get("preferred_username");
                });
                Class<String> cls = String.class;
                String.class.getClass();
                Optional filter = map.filter(cls::isInstance);
                Class<String> cls2 = String.class;
                String.class.getClass();
                return filter.map(cls2::cast);
            } catch (RuntimeException e) {
                throw new IdentityServiceFacade.TokenException("Failed to decode token. " + e.getMessage(), e);
            }
        }

        private OAuth2AuthorizeRequest createPasswordCredentialsRequest(String str, String str2) {
            return OAuth2AuthorizeRequest.withClientRegistrationId(CLIENT_REGISTRATION_ID).principal(str).attribute(OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME, str).attribute(OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME, str2).build();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacadeFactoryBean$SpringBasedIdentityServiceFacadeFactory.class */
    public static class SpringBasedIdentityServiceFacadeFactory {
        private static final long CLOCK_SKEW_MS = 0;
        private final IdentityServiceConfig config;

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacadeFactoryBean$SpringBasedIdentityServiceFacadeFactory$NoStoredAuthorizedClient.class */
        public static class NoStoredAuthorizedClient implements OAuth2AuthorizedClientService {
            private NoStoredAuthorizedClient() {
            }

            public <T extends OAuth2AuthorizedClient> T loadAuthorizedClient(String str, String str2) {
                return null;
            }

            public void saveAuthorizedClient(OAuth2AuthorizedClient oAuth2AuthorizedClient, Authentication authentication) {
            }

            public void removeAuthorizedClient(String str, String str2) {
            }

            /* synthetic */ NoStoredAuthorizedClient(NoStoredAuthorizedClient noStoredAuthorizedClient) {
                this();
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacadeFactoryBean$SpringBasedIdentityServiceFacadeFactory$SingleClientRegistration.class */
        public static class SingleClientRegistration implements ClientRegistrationRepository {
            private final ClientRegistration clientRegistration;

            private SingleClientRegistration(ClientRegistration clientRegistration) {
                this.clientRegistration = (ClientRegistration) Objects.requireNonNull(clientRegistration);
            }

            public ClientRegistration findByRegistrationId(String str) {
                if (Objects.equals(str, this.clientRegistration.getRegistrationId())) {
                    return this.clientRegistration;
                }
                return null;
            }

            /* synthetic */ SingleClientRegistration(ClientRegistration clientRegistration, SingleClientRegistration singleClientRegistration) {
                this(clientRegistration);
            }
        }

        SpringBasedIdentityServiceFacadeFactory(IdentityServiceConfig identityServiceConfig) {
            this.config = (IdentityServiceConfig) Objects.requireNonNull(identityServiceConfig);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public IdentityServiceFacade createIdentityServiceFacade() {
            RestTemplate createRestTemplate = createRestTemplate();
            ClientRegistration createClientRegistration = createClientRegistration(createRestTemplate);
            return new SpringBasedIdentityServiceFacade(createAuthorizedClientManager(createRestTemplate, createClientRegistration), createJwtDecoder(createClientRegistration));
        }

        private RestTemplate createRestTemplate() {
            SimpleClientHttpRequestFactory simpleClientHttpRequestFactory = new SimpleClientHttpRequestFactory();
            simpleClientHttpRequestFactory.setConnectTimeout(this.config.getClientConnectionTimeout());
            simpleClientHttpRequestFactory.setReadTimeout(this.config.getClientSocketTimeout());
            RestTemplate restTemplate = new RestTemplate(Arrays.asList(new FormHttpMessageConverter(), new OAuth2AccessTokenResponseHttpMessageConverter()));
            restTemplate.setRequestFactory(simpleClientHttpRequestFactory);
            restTemplate.setErrorHandler(new OAuth2ErrorResponseErrorHandler());
            return restTemplate;
        }

        private ClientRegistration createClientRegistration(RestTemplate restTemplate) {
            try {
                return ClientRegistrations.fromIssuerLocation(this.config.getIssuerUrl()).clientId(this.config.getResource()).clientSecret(this.config.getClientSecret()).authorizationGrantType(AuthorizationGrantType.PASSWORD).clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC).registrationId("ids").build();
            } catch (RuntimeException e) {
                IdentityServiceFacadeFactoryBean.LOGGER.warn("Failed to create ClientRegistration.", e);
                throw IdentityServiceFacadeFactoryBean.authorizationServerCantBeUsedException(e);
            }
        }

        private OAuth2AuthorizedClientManager createAuthorizedClientManager(RestTemplate restTemplate, ClientRegistration clientRegistration) {
            AuthorizedClientServiceOAuth2AuthorizedClientManager authorizedClientServiceOAuth2AuthorizedClientManager = new AuthorizedClientServiceOAuth2AuthorizedClientManager(new SingleClientRegistration(clientRegistration, null), new NoStoredAuthorizedClient(null));
            authorizedClientServiceOAuth2AuthorizedClientManager.setAuthorizedClientProvider(OAuth2AuthorizedClientProviderBuilder.builder().password(passwordGrantBuilder -> {
                DefaultPasswordTokenResponseClient defaultPasswordTokenResponseClient = new DefaultPasswordTokenResponseClient();
                defaultPasswordTokenResponseClient.setRestOperations(restTemplate);
                passwordGrantBuilder.accessTokenResponseClient(defaultPasswordTokenResponseClient);
                passwordGrantBuilder.clockSkew(Duration.of(CLOCK_SKEW_MS, ChronoUnit.MILLIS));
            }).build());
            authorizedClientServiceOAuth2AuthorizedClientManager.setContextAttributesMapper((v0) -> {
                return v0.getAttributes();
            });
            return authorizedClientServiceOAuth2AuthorizedClientManager;
        }

        private JwtDecoder createJwtDecoder(ClientRegistration clientRegistration) {
            OidcIdTokenDecoderFactory oidcIdTokenDecoderFactory = new OidcIdTokenDecoderFactory();
            oidcIdTokenDecoderFactory.setJwtValidatorFactory(clientRegistration2 -> {
                String str = "Bearer";
                "Bearer".getClass();
                return new DelegatingOAuth2TokenValidator(new OAuth2TokenValidator[]{new JwtTimestampValidator(Duration.of(CLOCK_SKEW_MS, ChronoUnit.MILLIS)), new JwtIssuerValidator(clientRegistration2.getProviderDetails().getIssuerUri()), new JwtClaimValidator("typ", (v1) -> {
                    return r8.equals(v1);
                }), new JwtClaimValidator("sub", (v0) -> {
                    return Objects.nonNull(v0);
                })});
            });
            try {
                return oidcIdTokenDecoderFactory.createDecoder(clientRegistration);
            } catch (RuntimeException e) {
                IdentityServiceFacadeFactoryBean.LOGGER.warn("Failed to create JwtDecoder.", e);
                throw IdentityServiceFacadeFactoryBean.authorizationServerCantBeUsedException(e);
            }
        }

        static /* synthetic */ IdentityServiceFacade access$0(SpringBasedIdentityServiceFacadeFactory springBasedIdentityServiceFacadeFactory) {
            return springBasedIdentityServiceFacadeFactory.createIdentityServiceFacade();
        }
    }

    public void setEnabled(boolean z) {
        this.enabled = z;
    }

    public void setIdentityServiceConfig(IdentityServiceConfig identityServiceConfig) {
        this.factory = new SpringBasedIdentityServiceFacadeFactory(identityServiceConfig);
    }

    /* renamed from: getObject, reason: merged with bridge method [inline-methods] */
    public IdentityServiceFacade m853getObject() throws Exception {
        if (!this.enabled) {
            return null;
        }
        SpringBasedIdentityServiceFacadeFactory springBasedIdentityServiceFacadeFactory = this.factory;
        springBasedIdentityServiceFacadeFactory.getClass();
        return new LazyInstantiatingIdentityServiceFacade(() -> {
            return SpringBasedIdentityServiceFacadeFactory.access$0(r2);
        });
    }

    public Class<?> getObjectType() {
        return IdentityServiceFacade.class;
    }

    public boolean isSingleton() {
        return true;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static IdentityServiceFacade.IdentityServiceFacadeException authorizationServerCantBeUsedException(RuntimeException runtimeException) {
        return new IdentityServiceFacade.IdentityServiceFacadeException("Unable to use the Authorization Server.", runtimeException);
    }
}
